release: 2021.1.1-stable

# Conflicts:
#	authentik/core/api/applications.py

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 2021.1.1-rc1
+current_version = 2021.1.1-stable
 tag = True
 commit = True
 parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)\-(?P<release>.*)

.github/workflows/release.yml

@@ -18,11 +18,11 @@ jobs:
       - name: Building Docker Image
         run: docker build
           --no-cache
-          -t beryju/authentik:2021.1.1-rc1
+          -t beryju/authentik:2021.1.1-stable
           -t beryju/authentik:latest
           -f Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik:2021.1.1-rc1
+        run: docker push beryju/authentik:2021.1.1-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/authentik:latest
   build-proxy:
@@ -34,7 +34,7 @@ jobs:
           go-version: "^1.15"
       - name: prepare go api client
         run: |
-          cd proxy
+          cd outpost
           go get -u github.com/go-swagger/go-swagger/cmd/swagger
           swagger generate client -f ../swagger.yaml -A authentik -t pkg/
           go build -v .
@@ -45,14 +45,14 @@ jobs:
         run: docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
       - name: Building Docker Image
         run: |
-          cd proxy/
+          cd outpost/
           docker build \
           --no-cache \
-          -t beryju/authentik-proxy:2021.1.1-rc1 \
+          -t beryju/authentik-proxy:2021.1.1-stable \
           -t beryju/authentik-proxy:latest \
-          -f Dockerfile .
+          -f proxy.Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-proxy:2021.1.1-rc1
+        run: docker push beryju/authentik-proxy:2021.1.1-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/authentik-proxy:latest
   build-static:
@@ -69,11 +69,11 @@ jobs:
           cd web/
           docker build \
           --no-cache \
-          -t beryju/authentik-static:2021.1.1-rc1 \
+          -t beryju/authentik-static:2021.1.1-stable \
           -t beryju/authentik-static:latest \
           -f Dockerfile .
       - name: Push Docker Container to Registry (versioned)
-        run: docker push beryju/authentik-static:2021.1.1-rc1
+        run: docker push beryju/authentik-static:2021.1.1-stable
       - name: Push Docker Container to Registry (latest)
         run: docker push beryju/authentik-static:latest
   test-release:
@@ -107,5 +107,5 @@ jobs:
           SENTRY_PROJECT: authentik
           SENTRY_URL: https://sentry.beryju.org
         with:
-          tagName: 2021.1.1-rc1
+          tagName: 2021.1.1-stable
           environment: beryjuorg-prod

authentik/__init__.py

@@ -1,2 +1,2 @@
 """authentik"""
-__version__ = "2021.1.1-rc1"
+__version__ = "2021.1.1-stable"

authentik/admin/tests/test_tasks.py

@@ -50,7 +50,8 @@ class TestAdminTasks(TestCase):
         self.assertEqual(cache.get(VERSION_CACHE_KEY), "99999999.9999999")
         self.assertTrue(
             Event.objects.filter(
-                action=EventAction.UPDATE_AVAILABLE, context__new_version="99999999.9999999"
+                action=EventAction.UPDATE_AVAILABLE,
+                context__new_version="99999999.9999999",
             ).exists()
         )
         # test that a consecutive check doesn't create a duplicate event
@@ -58,7 +59,8 @@ class TestAdminTasks(TestCase):
         self.assertEqual(
             len(
                 Event.objects.filter(
-                    action=EventAction.UPDATE_AVAILABLE, context__new_version="99999999.9999999"
+                    action=EventAction.UPDATE_AVAILABLE,
+                    context__new_version="99999999.9999999",
                 )
             ),
             1,

authentik/core/api/applications.py

@@ -86,7 +86,11 @@ class ApplicationViewSet(ModelViewSet):
                 engine.build()
                 if engine.passing:
                     allowed_applications.append(application)
-            cache.set(user_app_cache_key(self.request.user.pk), allowed_applications)
+            cache.set(
+                user_app_cache_key(self.request.user.pk),
+                allowed_applications,
+                timeout=86400,
+            )
         serializer = self.get_serializer(allowed_applications, many=True)
         return self.get_paginated_response(serializer.data)
 

authentik/outposts/tasks.py

@@ -49,9 +49,15 @@ def outpost_service_connection_state(connection_pk: Any):
 @CELERY_APP.task(bind=True, base=MonitoredTask)
 def outpost_service_connection_monitor(self: MonitoredTask):
     """Regularly check the state of Outpost Service Connections"""
-    for connection in OutpostServiceConnection.objects.all():
+    connections = OutpostServiceConnection.objects.all()
+    for connection in connections.iterator():
         outpost_service_connection_state.delay(connection.pk)
-    self.set_status(TaskResult(TaskResultStatus.SUCCESSFUL))
+    self.set_status(
+        TaskResult(
+            TaskResultStatus.SUCCESSFUL,
+            [f"Successfully updated {len(connections)} connections."],
+        )
+    )
 
 
 @CELERY_APP.task(bind=True, base=MonitoredTask)

authentik/policies/engine.py

@@ -1,6 +1,6 @@
 """authentik policy engine"""
 from enum import Enum
-from multiprocessing import Pipe, set_start_method
+from multiprocessing import Pipe, current_process
 from multiprocessing.connection import Connection
 from typing import Iterator, List, Optional
 
@@ -16,9 +16,7 @@ from authentik.policies.process import PolicyProcess, cache_key
 from authentik.policies.types import PolicyRequest, PolicyResult
 
 LOGGER = get_logger()
-# This is only really needed for macOS, because Python 3.8 changed the default to spawn
+CURRENT_PROCESS = current_process()
-# spawn causes issues with objects that aren't picklable, and also the django setup
-set_start_method("fork")
 
 
 class PolicyProcessInfo:
@@ -117,14 +115,19 @@ class PolicyEngine:
                 LOGGER.debug("P_ENG: Evaluating policy", policy=binding.policy)
                 our_end, task_end = Pipe(False)
                 task = PolicyProcess(binding, self.request, task_end)
+                task.daemon = False
                 LOGGER.debug("P_ENG: Starting Process", policy=binding.policy)
-                task.start()
+                if CURRENT_PROCESS._config.get("daemon"):
+                    task.run()
+                else:
+                    task.start()
                 self.__processes.append(
                     PolicyProcessInfo(process=task, connection=our_end, binding=binding)
                 )
             # If all policies are cached, we have an empty list here.
             for proc_info in self.__processes:
-                proc_info.process.join(proc_info.binding.timeout)
+                if proc_info.process.is_alive():
+                    proc_info.process.join(proc_info.binding.timeout)
                 # Only call .recv() if no result is saved, otherwise we just deadlock here
                 if not proc_info.result:
                     proc_info.result = proc_info.connection.recv()

authentik/policies/process.py

@@ -1,5 +1,5 @@
 """authentik policy task"""
-from multiprocessing import Process
+from multiprocessing import get_context
 from multiprocessing.connection import Connection
 from traceback import format_tb
 from typing import Optional
@@ -28,7 +28,11 @@ def cache_key(binding: PolicyBinding, request: PolicyRequest) -> str:
     return prefix
 
 
-class PolicyProcess(Process):
+FORK_CTX = get_context("fork")
+PROCESS_CLASS = FORK_CTX.Process
+
+
+class PolicyProcess(PROCESS_CLASS):
     """Evaluate a single policy within a seprate process"""
 
     connection: Connection

authentik/stages/password/stage.py

@@ -31,7 +31,11 @@ def authenticate(
 
     Customized version of django's authenticate, which accepts a list of backends"""
     for backend_path in backends:
-        backend: BaseBackend = path_to_class(backend_path)()
+        try:
+            backend: BaseBackend = path_to_class(backend_path)()
+        except ImportError:
+            LOGGER.warning("Failed to import backend", path=backend_path)
+            continue
         LOGGER.debug("Attempting authentication...", backend=backend)
         user = backend.authenticate(request, **credentials)
         if user is None:

docker-compose.yml

@@ -19,7 +19,7 @@ services:
     networks:
       - internal
   server:
-    image: beryju/authentik:${AUTHENTIK_TAG:-2021.1.1-rc1}
+    image: beryju/authentik:${AUTHENTIK_TAG:-2021.1.1-stable}
     command: server
     environment:
       AUTHENTIK_REDIS__HOST: redis
@@ -45,7 +45,7 @@ services:
     env_file:
       - .env
   worker:
-    image: beryju/authentik:${AUTHENTIK_TAG:-2021.1.1-rc1}
+    image: beryju/authentik:${AUTHENTIK_TAG:-2021.1.1-stable}
     command: worker
     networks:
       - internal
@@ -62,7 +62,7 @@ services:
     env_file:
       - .env
   static:
-    image: beryju/authentik-static:${AUTHENTIK_TAG:-2021.1.1-rc1}
+    image: beryju/authentik-static:${AUTHENTIK_TAG:-2021.1.1-stable}
     networks:
       - internal
     labels:

helm/Chart.yaml

@@ -4,7 +4,7 @@ name: authentik
 home: https://goauthentik.io
 sources:
   - https://github.com/BeryJu/authentik
-version: "2021.1.1-rc1"
+version: "2021.1.1-stable"
 icon: https://raw.githubusercontent.com/BeryJu/authentik/master/web/icons/icon.svg
 dependencies:
   - name: postgresql

helm/README.md

@@ -4,7 +4,7 @@
 |-----------------------------------|-------------------------|-------------|
 | image.name                        | beryju/authentik        | Image used to run the authentik server and worker |
 | image.name_static                 | beryju/authentik-static | Image used to run the authentik static server (CSS and JS Files) |
-| image.tag                         | 2021.1.1-rc1           | Image tag |
+| image.tag                         | 2021.1.1-stable           | Image tag |
 | image.pullPolicy                  | IfNotPresent            | Image Pull Policy used for all deployments |
 | serverReplicas                    | 1                       | Replicas for the Server deployment |
 | workerReplicas                    | 1                       | Replicas for the Worker deployment |

helm/templates/configmap.yaml

@@ -20,7 +20,7 @@ data:
   OUTPOSTS__DOCKER_IMAGE_BASE: "{{ .Values.image.name_outposts }}"
   EMAIL__HOST: "{{ .Values.config.email.host }}"
   EMAIL__PORT: "{{ .Values.config.email.port }}"
-  EMAIL__USERNAM: "{{ .Values.config.email.username }}"
+  EMAIL__USERNAME: "{{ .Values.config.email.username }}"
   EMAIL__USE_TLS: "{{ .Values.config.email.use_tls }}"
   EMAIL__USE_SSL: "{{ .Values.config.email.use_ssl }}"
   EMAIL__TIMEOUT: "{{ .Values.config.email.timeout }}"

helm/templates/secret.yaml

@@ -6,11 +6,11 @@ metadata:
 data:
   monitoring_username: bW9uaXRvcg== # monitor in base64
   {{- if .Values.config.secretKey }}
-  SECRET_KEY: {{ .Values.config.secretKey | b64enc | quote }}
+  secret_key: {{ .Values.config.secretKey | b64enc | quote }}
   {{- else }}
-  SECRET_KEY: {{ randAlphaNum 50 | b64enc | quote}}
+  secret_key: {{ randAlphaNum 50 | b64enc | quote}}
   {{- end }}
   {{- if .Values.backup }}
   POSTGRESQL__S3_BACKUP__SECRET_KEY: "{{ .Values.backup.secretKey }}"
   {{- end}}
-  EMAIL__PASSWOR: "{{ .Values.config.email.password }}"
+  EMAIL__PASSWORD: "{{ .Values.config.email.password }}"

helm/templates/web-deployment.yaml

@@ -117,7 +117,7 @@ spec:
               memory: 300M
             limits:
               cpu: 300m
-              memory: 600MiB
+              memory: 600M
       volumes:
         - name: authentik-uploads
           persistentVolumeClaim:

helm/values.yaml

@@ -5,7 +5,7 @@ image:
   name: beryju/authentik
   name_static: beryju/authentik-static
   name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
-  tag: 2021.1.1-rc1
+  tag: 2021.1.1-stable
   pullPolicy: IfNotPresent
 
 serverReplicas: 1

outpost/pkg/version.go

@@ -1,3 +1,3 @@
 package pkg
 
-const VERSION = "2021.1.1-rc1"
+const VERSION = "2021.1.1-stable"

web/src/authentik.css

@@ -81,7 +81,7 @@ select[multiple] {
     font-size: var(--pf-global--FontSize--sm);
 }
 
-.pf-c-page__main {
+.pf-c-page__main, .pf-c-drawer__content, .pf-c-page__drawer {
     z-index: auto !important;
 }
 

web/src/constants.ts

@@ -28,4 +28,4 @@ export const ColorStyles = css`
         background-color: var(--pf-global--danger-color--100);
     }
 `;
-export const VERSION = "2021.1.1-rc1";
+export const VERSION = "2021.1.1-stable";

website/docs/installation/docker-compose.md

@@ -15,7 +15,7 @@ Download the latest `docker-compose.yml` from [here](https://raw.githubuserconte
 
 To optionally enable error-reporting, run `echo AUTHENTIK_ERROR_REPORTING__ENABLED=true >> .env`
 
-To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.1.1-rc1 >> .env`
+To optionally deploy a different version run `echo AUTHENTIK_TAG=2021.1.1-stable >> .env`
 
 If this is a fresh authentik install run the following commands to generate a password:
 

website/docs/installation/kubernetes.md

@@ -24,7 +24,7 @@ image:
     name: beryju/authentik
     name_static: beryju/authentik-static
     name_outposts: beryju/authentik # Prefix used for Outpost deployments, Outpost type and version is appended
-    tag: 2021.1.1-rc1
+    tag: 2021.1.1-stable
 
 serverReplicas: 1
 workerReplicas: 1